Cyber Incident Victim: Fiverr
Date:
May 2016
Location:
Israel
Summary
The online marketplace experienced a six-hour distributed denial-of-service attack following its removal of DDoS-for-hire service listings, which were identified and reported by a security firm. The disruption caused significant downtime before normal operations resumed; security researchers suggested the attack was retaliation by actors previously offering the prohibited services on the platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Fiverr experienced a distributed denial-of-service (DDoS) attack on May 27, 2016, lasting approximately six hours during European morning hours. The attack followed Fiverr's removal of user listings advertising DDoS-for-hire services from its marketplace platform. This removal action occurred after cybersecurity firm Incapsula identified and reported these listings to Fiverr, which initially targeted advertisements explicitly offering illegal DDoS services before subsequently removing listings that framed DDoS activities as website "testing" for protection evaluation. Multiple users reported service disruptions to Softpedia, prompting Fiverr to acknowledge the technical issues publicly through its Twitter account. Platform functionality was fully restored after six hours of disruption, with normal operations maintained for over two hours by the time of Softpedia's reporting. Mikko Hypponen, Chief Research Officer at F-Secure, publicly speculated via Twitter that the attack likely represented retaliatory action by providers whose DDoS-for-hire services had been removed from Fiverr's platform.
The incident timeline began with Incapsula's discovery of $5 DDoS-for-hire listings on Fiverr's marketplace, which triggered Fiverr's content moderation response. Following the removal of these services, attackers disrupted Fiverr's platform access for users across multiple regions. The company's public communications via Twitter served as its primary incident acknowledgment mechanism, though specific technical details regarding attack vectors, traffic volumes, or mitigation strategies were not disclosed in available reports. Service restoration occurred without further publicized complications, with no subsequent attacks reported in immediate follow-up coverage. The DDoS attack constituted direct operational impact through six hours of continuous platform downtime, though no data breaches or secondary compromises were indicated in reporting. Fiverr's removal of both explicit DDoS service advertisements and disguised "testing" offerings demonstrated an expanded content policy enforcement approach following external security reporting.